DNS referral / delegation: which DNS is responsible; How to delegate the right way?

domain-name-system dns-zone delegation

Solution 1:

Firstly, may I congratulate you on what I think is a well-written, clear, and well-researched question, and for not redacting the domain name; that last is hugely helpful in answering.

Let me address the substantive issue, if I may: the whois points to a different set of nameservers than those which you have set up to be authoritative:

[me@risby ~]$ whois earechnung.at
[Querying whois.nic.at]
[...]
domain:         earechnung.at
registrant:     MAT8777331-NICAT
admin-c:        AT8777330-NICAT
tech-c:         MH536567-NICAT
nserver:        ns1.your-server.de
nserver:        ns3.second-ns.de
nserver:        ns.second-ns.com
changed:        20121004 15:29:23
source:         AT-DOM

Note the three listed servers. I freely concede that you have those servers set up to serve NS records that point the query elsewhere - but you also have them set up with data to respond to the authoritative request, and their server believes itself to be authoritative for the zone and can therefore lawfully return authoritative negative responses for RRs it doesn't know about. The right thing to do in this case is go back to the registrar, which I think is Hetzner in this case, and change the nameserver records not in their DNS server, but in their registration server - the device that populates the whois for .at. - to return your two new servers ns5.kasserver.com. and ns6.kasserver.com.

The business of serving a set of NS records to delegate a subzone works perfectly when it's used to do that: delegate a subzone of the one which was followed to the current set of nameservers. Using them more like an HTTP 301 redirect is unusual, and - as you have found - may not work perfectly.

As to best practice, it's completely normal to use one provider for registration and another for DNS provision. That said, the two tasks are often so closely welded that some registrars can't cope with having a registered zone on any DNS servers but their own. If Hetzner is one such, you will need to move the domain registration to a different registrar.

Related

Multiple domains on Amazon AWS EC2
Enabling system wide TCP keepalives on a Windows system
How can I back up and replicate a large MySQL database?
Disabling SNI for specific virtualhost on Apache
startpar process left hanging when starting processes from rc.local or init.d
what's the syntax for Accessing smb/windows shares via alternative ports?
Can nginx listen on port 80, but send upstream to backend using SSL on 443?
Failed to retrieve directory listing in Filezilla connecting to vsftpd
NFS - Files on client are not appearing on server
Proliant ML310e Gen8 Smart Array Predicted Failure Issue with SSD
How to install a single SSL certificate for www and non-www
Add email account to postfix